Privacy Policy

Effective Date: March 15, 2026 Last Updated: March 20, 2026

This Privacy Policy describes how Ilia Kuzmin ("we," "us," or "our") collects, uses, and shares information when you use the Peek mobile application ("App") and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

1. Data Controller

Ilia Kuzmin Email: support@peek.cards

We are the data controller responsible for your personal data under the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Information We Collect

2.1 Account Data

You can use the App without creating an account ("anonymous user"). In that case, we collect only:

User ID — a unique identifier (UUID) assigned automatically to enable service delivery.

When you create an account ("registered user"), we additionally collect:

Email address — used for authentication, account recovery, and service communications.
Password — stored only as a cryptographic hash (bcrypt). We never store your password in plain text.

2.2 Device Data

Device ID — a Firebase Installation ID used to identify your device for service delivery. This is collected for both registered and anonymous users.

2.3 Push Notification Data

When you use the App on a device that supports push notifications, we collect:

Push notification token — a unique token generated by Firebase Cloud Messaging (FCM) to deliver push notifications to your device.
Platform — your device platform (e.g., Android).

This data is necessary to send you push notifications such as study reminders and service updates. You can disable push notifications at any time through your device's system settings.

2.4 Usage Data

When you use the Service, we collect:

Study history — training sessions, card answers, interaction types, success/failure results, and accuracy metrics.
Deck subscriptions — which decks you follow or subscribe to.

This data is essential to provide the core flashcard learning functionality.

2.5 User Content

Decks and cards you create, including text content, deck titles, and descriptions.
Public decks you choose to publish are visible to other users.

2.6 Analytics Data (Opt-In Only)

If you explicitly consent, we collect analytics data via Firebase Analytics, including:

Screen views and navigation events.
User interactions (e.g., tapping a deck, starting a study session).
Study session metrics (cards studied, accuracy).

Note: Authentication screens (sign-in, sign-up, forgot password, reset password) are never tracked, regardless of your consent choice.

2.7 Crash Reports (Opt-In Only)

If you explicitly consent, we collect crash reports via Firebase Crashlytics, including:

Crash logs and stack traces.
Device model, OS version, and app version.
State of the app at the time of the crash.

3. How We Use Your Information

Data Type	Purpose
Email, password hash	Account creation, authentication, password recovery
User ID, device ID	Service delivery, session management
Push notification token, platform	Delivering push notifications (study reminders, service updates)
Study history	Providing flashcard learning features, tracking your progress
User content (decks, cards)	Delivering the core service, enabling sharing of public decks
Analytics data	Understanding how users interact with the App to improve it
Crash reports	Identifying and fixing bugs, improving App stability

We process your personal data under the following legal bases:

Performance of a contract (Art. 6(1)(b) GDPR): For registered users, account data, usage data, and user content are processed to provide the Service you signed up for.
Legitimate interest (Art. 6(1)(f) GDPR): For anonymous users who use the App without creating an account, we process usage data (study history), user content (decks and cards), and device data on the basis of legitimate interest. The user reasonably expects the App to function — saving their cards and tracking their study progress — and the data collected is minimal, non-sensitive, and directly necessary for service delivery. We also rely on legitimate interest for security purposes, fraud prevention, and enforcing our terms of service for all users.
Consent (Art. 6(1)(a) GDPR): Analytics data and crash reports are collected only with your explicit opt-in consent. You can withdraw consent at any time via Settings in the App.

5. Third Parties

We share data with the following third-party service providers:

Google Firebase (Google LLC)

Firebase Analytics — receives analytics events (only if you consent).
Firebase Crashlytics — receives crash reports (only if you consent).
Firebase Cloud Messaging — delivers push notifications to your device.
Firebase Installation — generates and manages device identifiers.

Google processes this data in accordance with the Google Privacy Policy and Firebase Data Processing Terms.

We do not sell your personal data to any third party.

6. International Data Transfers

Our backend servers are located in the Netherlands, within the European Economic Area (EEA). Your primary personal data (account information, user content, study history) does not leave the EEA.

Firebase services (Analytics and Crashlytics, collected only with your consent) may process data on servers in the United States. These transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission, as part of Google's data processing agreements.
Appropriate technical and organizational security measures.

7. Data Retention

We retain your data for the following periods:

Data Type	Retention Period
Account data (email, user ID)	While your account is active, plus 30 days after account deletion
Password hash	Deleted immediately upon account deletion
Authentication sessions	90 days from creation
Email verification codes	24 hours
Password reset tokens	24 hours
Push notification tokens	Deleted on logout or account deletion; replaced automatically when Firebase refreshes the token
Study history and user content (registered users)	While your account is active; deleted upon account deletion
Study history and user content (anonymous users)	While the App is in use on the device; deleted after 12 months of inactivity or upon account deletion if the user later registers
Analytics data	14 months (Firebase default)
Crash reports	90 days (Firebase default)

After the retention period expires, data is permanently deleted or anonymized.

8. Your Rights

Under GDPR and other applicable laws, you have the following rights:

Right of access — request a copy of the personal data we hold about you.
Right to rectification — request correction of inaccurate personal data.
Right to erasure ("right to be forgotten") — request deletion of your personal data.
Right to data portability — receive your data in a structured, machine-readable format.
Right to restrict processing — request that we limit how we use your data.
Right to object — object to processing based on legitimate interest.
Right to withdraw consent — withdraw your consent for analytics and crash reporting at any time via Settings in the App. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
Right to lodge a complaint — file a complaint with a supervisory authority in your country of residence.

How to Exercise Your Rights

In the App: Use the account deletion feature in Settings.
By email: Contact us at support@peek.cards. We will respond within 30 days.

We may ask you to verify your identity before processing your request.

9. Children's Privacy

The Service is not directed to children under 13 years of age (or under 16 in the European Economic Area). We do not knowingly collect personal data from children under these ages.

If we become aware that we have collected personal data from a child under the applicable minimum age, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at support@peek.cards.

10. Tracking Technologies

The App does not use cookies. However, we use the following technologies:

Firebase Analytics SDK — collects analytics events using device identifiers. Opt-in only.
Firebase Crashlytics SDK — collects crash data. Opt-in only.
Firebase Cloud Messaging SDK — manages push notification delivery using a device token.
Firebase Installation SDK — generates a device identifier for service delivery.

You can enable or disable Analytics and Crashlytics at any time in the App's Settings. Both are disabled by default.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Categories of Personal Information Collected

Identifiers: email address, user ID, device ID, push notification token.
Internet or electronic network activity: study history, analytics events, crash reports.
User-generated content: decks and cards you create.

Your Rights

Right to know: You may request the categories and specific pieces of personal information we have collected about you.
Right to delete: You may request deletion of your personal information.
Right to opt-out of sale: We do not sell your personal information. No opt-out is necessary, but you may contact us to confirm.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at support@peek.cards.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last Updated" date at the top of this page.
Notify you via a notice in the App.

Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Email: support@peek.cards

This Privacy Policy is provided for informational purposes and does not constitute legal advice. We recommend consulting a qualified attorney for compliance with applicable laws.